Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1cBjhk-0000Fg-Ct@xenbits.xenproject.org>
Date: Tue, 29 Nov 2016 14:48:20 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 201 - ARM guests may induce host
 asynchronous abort

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-201

             ARM guests may induce host asynchronous abort

ISSUE DESCRIPTION
=================

Depending on how the hardware and firmware have been integrated,
guest-triggered asynchronous aborts (SError on ARMv8) may be received
by the hypervisor.  The current action is to crash the host.

A guest might trigger an asynchronous abort when accessing memory
mapped hardware in a non-conventional way.  Even if device
pass-through has not been configured, the hypervisor may give the
guest access to memory mapped hardware in order to take advantage of
hardware virtualization.

IMPACT
======

A malicious guest may be able to crash the host.

VULNERABLE SYSTEMS
==================

All Xen versions which support ARM are potentially affected.

Whether a particular ARM systems is affected depends on technical
details of the hardware and/or firmware.

x86 systems are not affected.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which do not expose MMIO to
userspace will prevent untrusted guest users from exploiting this issue.
However untrusted guest administrators can still trigger it unless
further steps are taken to prevent them from loading code into the
kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The issue was discussed publicly (and has been fixed already in KVM in
public trees).

CREDITS
=======

This issue was discovered by ARM engineering personnel.

RESOLUTION
==========

Applying the appropriate set of attached patched resolves this issue.

xsa201-[1234].patch       Xen-unstable

xsa201-[12].patch         }
xsa201-3-4.7.patch        } Xen 4.7.x, Xen 4.6.x
xsa201-4.patch            }

$ sha256sum xsa201*
ffdefdaa67748df7fccbc82011202724c622ca432cd121853ecab45ff4657406  xsa201-1.patch
0665eb575b056f98d5330ef23f497b2b3de1a15319e2012005890a17df32a7ed  xsa201-2.patch
4486d5efb59c1f1fff04a3cb697f948d5bf680e2a1c0d76cd44382ad8fa9095e  xsa201-3.patch
ca82c82acd51bf3cb8114d1843519c28e3df26243bd45eb712ff10ba11061b93  xsa201-3-4.7.patch
1de6ddb4b5b46ae390ec4587e588c00a706f4a68365d379db7ad54234f770d48  xsa201-4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYPZSoAAoJEIP+FMlX6CvZ2zoH/ivzE70xsLHYJUxveoBiFuiU
KHFzF0X63G681FjLyU4SY2GkH5K9YutJ1uaakp+peD96fQqCXBHxWUMPAfblnd7t
YueMYuFqcz3mE2ypJjBh/fdI8a4UrKHHg3z6Hw6X91p+SRmPsnt9v7OzytoYOiE4
fDeaATwl1LxB+Z/yJETlo/JMgwrtuYZ9EZM9gIzxdOVw+QbQyEYHmuIyni8BNRvZ
+biRRQo37K5+jLY3f/RoXKcpqnHqjKOOmfjkxJJAsxqpdTSw5fRJqSZE4G5oUVs2
AAvSKhLObFahMlPqtoNXSC6lG5Gbd3e/h+6N2N/96TXs6Wr+d0VuC+lkYUjwcJk=
=KEYF
-----END PGP SIGNATURE-----

Download attachment "xsa201-1.patch" of type "application/octet-stream" (3078 bytes)

Download attachment "xsa201-2.patch" of type "application/octet-stream" (6453 bytes)

Download attachment "xsa201-3.patch" of type "application/octet-stream" (1658 bytes)

Download attachment "xsa201-3-4.7.patch" of type "application/octet-stream" (1635 bytes)

Download attachment "xsa201-4.patch" of type "application/octet-stream" (4469 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.